Linux-mm Archive on lore.kernel.org
 help / color / Atom feed
From: Matthew Wilcox <willy@infradead.org>
To: syzbot <syzbot+97ef6376738cb5104a71@syzkaller.appspotmail.com>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com,
	kent.overstreet@gmail.com, hch@lst.de
Subject: Re: BUG: Bad page state (8)
Date: Mon, 1 Feb 2021 12:52:29 +0000
Message-ID: <20210201125229.GO308988@casper.infradead.org> (raw)
In-Reply-To: <00000000000019201505ba43855e@google.com>

On Mon, Feb 01, 2021 at 02:07:22AM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:

Thank you, syzbot.  This is legit.  But annoying.

> BUG: Bad page state in process syz-executor.4  pfn:369c1
> page:0000000025f15602 refcount:0 mapcount:0 mapping:0000000000000000 index:0x3d pfn:0x369c1
> flags: 0xfff00000020005(locked|uptodate|mappedtodisk)
> raw: 00fff00000020005 dead000000000100 dead000000000122 0000000000000000
> raw: 000000000000003d 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set

Having the uptodate and mappedtodisk flags set is fine.  It's the 'locked'
flag which is triggering the bug.  Here's the code in question:

truncated:
        error = AOP_TRUNCATED_PAGE;
        put_page(page);
unlock:
        unlock_page(page);

So we're going to unlock the page!  But we actually have to unlock it first,
before the refcount goes to zero.  Does anyone see a better way than this?

(Andrew, this is a fix to "mm/filemap: add filemap_range_uptodate")

diff --git a/mm/filemap.c b/mm/filemap.c
index bc4c9ac0ef4a..a945102b55c2 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2322,8 +2322,9 @@ static int filemap_update_page(struct kiocb *iocb,
 		put_page(page);
 	return error;
 truncated:
-	error = AOP_TRUNCATED_PAGE;
+	unlock_page(page);
 	put_page(page);
+	return AOP_TRUNCATED_PAGE;
 unlock:
 	unlock_page(page);
 	return error;


      reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-01 10:07 syzbot
2021-02-01 12:52 ` Matthew Wilcox [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210201125229.GO308988@casper.infradead.org \
    --to=willy@infradead.org \
    --cc=akpm@linux-foundation.org \
    --cc=hch@lst.de \
    --cc=kent.overstreet@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=syzbot+97ef6376738cb5104a71@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-mm Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mm/0 linux-mm/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mm linux-mm/ https://lore.kernel.org/linux-mm \
		linux-mm@kvack.org
	public-inbox-index linux-mm

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kvack.linux-mm


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git